Legal
Data Processing Agreement
Last updated: April 2026
This Data Processing Agreement ("DPA") supplements and forms part of the Merchant Services Agreement or Master Services Agreement between Anton Payments Inc. and the Merchant, and governs the processing of personal data in connection with Anton's cross-border payout services.
1. Definitions
Controller: The entity that determines the purposes and means of processing personal data. In the context of payout services, the Merchant is typically the Controller of payee personal data.
Processor: The entity that processes personal data on behalf of the Controller. Anton Payments acts as a Processor when processing payee and beneficiary data on behalf of the Merchant.
Personal Data: Any information relating to an identified or identifiable natural person, including payee names, addresses, bank account details, identity documents, and transaction data.
Applicable Data Protection Laws: The Personal Information Protection and Electronic Documents Act (PIPEDA, Canada), the General Data Protection Regulation (GDPR, EU), the California Consumer Privacy Act (CCPA), and other applicable data protection and privacy laws.
2. Scope and Roles
This DPA applies to all processing of personal data by Anton Payments on behalf of the Merchant in connection with the provision of payout services, including:
- Payee (beneficiary) creation, verification, and management
- Payout transaction processing and settlement
- Compliance screening (sanctions, PEP, identity verification)
- Risk scoring and transaction monitoring
- Record keeping required by AML/ATF regulations
Merchant as Controller: The Merchant acts as the Controller of personal data relating to its payees and beneficiaries whose data is processed through Anton's services.
Anton as Processor: Anton Payments acts as a Processor when processing payee and beneficiary data on behalf of the Merchant. Anton may also act as an independent Controller for data processing required by law (e.g., AML/ATF compliance obligations, regulatory reporting).
3. Categories of Personal Data
Personal data processed in connection with the payout services may include:
- Payee identity data: Full name, date of birth, nationality, country of residence, government-issued identification numbers
- Payee financial data: Bank account details, payment instrument information, wallet addresses
- Merchant identity data: Business legal name, registration number, tax identification, beneficial owner identity information
- Transaction data: Payout amounts, currencies, corridors, timestamps, purpose of payment, risk scores, screening results
- Compliance data: KYB/KYC verification status, sanctions screening results, PEP screening status, risk tier classifications
- Technical data: IP addresses, API request metadata, user agent information
4. Processing Instructions
Anton Payments will process personal data only in accordance with:
- The Merchant's documented instructions as set forth in the applicable agreement
- This DPA and the underlying Merchant Services Agreement or MSA
- Applicable Data Protection Laws
- Legal obligations applicable to Anton as a Money Services Business (e.g., AML/ATF record keeping, suspicious activity reporting, sanctions screening)
Where Anton is required by law to process personal data beyond the Merchant's instructions (e.g., regulatory reporting obligations under PCMLTFA or BSA), Anton will inform the Merchant of that legal requirement before processing, unless prohibited by law from doing so (e.g., tipping-off prohibitions under PCMLTFA s. 8).
5. Security Measures
Anton Payments implements appropriate technical and organisational measures to protect personal data, including:
- Encryption: All data encrypted in transit (TLS 1.2 minimum, PCI DSS Req 4.1) and at rest (AES-256 via Google Cloud KMS with customer-managed encryption keys, 90-day rotation)
- PII isolation: All personally identifiable information and payment instruments are stored in Basis Theory's PCI DSS Level 1 certified tokenisation vault, isolated from Anton's core database. Only token references are stored in Anton's systems.
- Access controls: Role-based access controls with eight graduated permission levels, enforced at the application layer. Least-privilege principles applied to all infrastructure access.
- Network security: Google Cloud Armor WAF, VPC network isolation, DNSSEC, and infrastructure-level sanctions blocking
- Audit trail: Append-only, immutable audit logs for all data access and modifications, retained for seven years
- Infrastructure: All services hosted on Google Cloud Platform (northamerica-northeast1 region, Montreal) with CMEK encryption, deletion protection, and automated backups
6. Sub-Processors
The Merchant authorises Anton Payments to engage the following sub-processors to assist in providing the payout services:
| Sub-Processor | Purpose | Data Processed |
|---|---|---|
| Google Cloud Platform | Infrastructure hosting | All service data (encrypted at rest and in transit) |
| Basis Theory | PII and payment instrument tokenisation | Payee PII, bank account details, identity documents |
| Persona | KYB/KYC identity verification, PEP and sanctions screening | Merchant and beneficial owner identity data, verification documents |
| WorkOS | Enterprise identity and authentication | Merchant portal user authentication data |
| Payment rail partners | Payout processing and settlement | Payee name, bank details, transaction amount, currency, destination |
Anton Payments enters into written agreements with all sub-processors imposing data protection obligations no less protective than those in this DPA. Anton will notify the Merchant of any intended changes to sub-processors at least 30 days in advance. The Merchant may object to a new sub-processor within 30 days of notification.
7. Data Subject Rights
Anton Payments will assist the Merchant in responding to requests from data subjects to exercise their rights under Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.
If Anton receives a data subject request directly, it will forward the request to the Merchant and will not respond directly unless required by law. Anton will provide reasonable assistance in responding to such requests through available tools and API capabilities.
Regulatory retention override: Certain personal data may be retained beyond the Merchant's deletion request where required by AML/ATF record-keeping obligations (minimum five years under PCMLTFA and BSA/FinCEN). Anton will inform the Merchant when regulatory retention requirements prevent deletion.
8. Data Breach Notification
Anton Payments will notify the Merchant without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting data processed on behalf of the Merchant. The notification will include:
- Description of the nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
Anton will provide reasonable assistance to the Merchant in preparing any required notifications to data subjects or supervisory authorities.
9. International Data Transfers
Anton's primary infrastructure is hosted in Google Cloud's northamerica-northeast1 region (Montreal, Canada). Personal data may be transferred to and processed in other jurisdictions in connection with payment rail partner processing and sub-processor operations.
For transfers of personal data from the EEA or UK, Anton relies on Standard Contractual Clauses (SCCs) approved by the European Commission or other legally recognised transfer mechanisms. Canada has been recognised by the European Commission as providing an adequate level of data protection.
10. Data Retention and Deletion
Personal data is retained only for as long as necessary to provide the payout services or as required by law. Upon termination of the agreement or upon the Merchant's written request, Anton will delete or return all personal data, subject to:
- AML/ATF record-keeping obligations (minimum five years from the date the business relationship ends, per PCMLTFA and BSA/FinCEN)
- Audit log retention requirements (seven years, per Anton's logging and monitoring policy)
- Ongoing regulatory investigations or legal holds
PII stored in Basis Theory's vault is deleted in accordance with Basis Theory's data retention agreement. KYB/KYC records in Persona are managed per Persona's data processing agreement.
11. Audits
The Merchant may, upon reasonable notice and no more than once per year, audit Anton's compliance with this DPA. Audits are subject to confidentiality obligations and reasonable scope limitations. Anton will provide summary reports of applicable security certifications upon request.
12. Liability
Each party's liability for breaches of this DPA is subject to the limitations set forth in the underlying Merchant Services Agreement or MSA. The Merchant warrants that it has the legal basis and authority to process the personal data, has obtained all necessary consents, and will not instruct Anton to process data in a manner that violates Applicable Data Protection Laws.
13. General Provisions
This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, except that data protection provisions will be interpreted in accordance with Applicable Data Protection Laws. If any provision is found unenforceable, the remaining provisions remain in full force. This DPA may only be modified by written agreement signed by both parties.
14. Contact
For questions about this DPA or data protection matters, please contact:
Anton Payments, Inc.
Compliance Department
Email: legal@antonpayments.com